CVE-2025-68422
📋 TL;DR
CVE-2025-68422 is an improper authorization vulnerability in Kibana that allows authenticated users to bypass permission restrictions via crafted HTTP requests. This enables attackers without 'live queries - read' permission to retrieve live query lists, potentially exposing sensitive system information. Organizations running vulnerable Kibana versions with authenticated user access are affected.
💻 Affected Systems
- Kibana
📦 What is this software?
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker escalates to administrative access, accesses sensitive live query data, and potentially pivots to compromise the entire Elastic Stack environment.
Likely Case
Authenticated low-privilege user accesses live query information they shouldn't see, potentially exposing system monitoring data and query patterns.
If Mitigated
With proper network segmentation and minimal user permissions, impact is limited to unauthorized viewing of live query lists within the Kibana interface.
🎯 Exploit Status
Exploitation requires valid user credentials and knowledge of the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19.7, 9.1.7, or 9.2.1
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-39/384187
Restart Required: Yes
Instructions:
1. Backup Kibana configuration and data. 2. Stop Kibana service. 3. Upgrade to patched version (8.19.7, 9.1.7, or 9.2.1). 4. Restart Kibana service. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict Live Queries Access
allRemove 'live queries - read' permission from all users who don't absolutely need it.
kibana.yml: xpack.security.authorization.roles: remove live_queries_read from unnecessary roles
Network Access Control
allRestrict Kibana access to only trusted networks and users.
firewall rules to limit Kibana port (5601) access
🧯 If You Can't Patch
- Implement strict principle of least privilege for all Kibana user accounts
- Monitor Kibana access logs for unauthorized live query list retrieval attempts
🔍 How to Verify
Check if Vulnerable:
Check Kibana version via GET /api/status or kibana --version. If version is before 8.19.7, 9.1.7, or 9.2.1, system is vulnerable.Check Version:
curl -X GET 'http://localhost:5601/api/status' | grep 'number' or kibana --versionVerify Fix Applied:
After patching, verify version shows 8.19.7, 9.1.7, or 9.2.1. Test with low-privilege user attempting to access live queries endpoint.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /api/live_queries endpoints
- User permission violation logs in Kibana audit logs
Network Indicators:
- HTTP requests to live queries endpoints from unauthorized user accounts
- Unusual query patterns to live queries API
SIEM Query:
source="kibana.log" AND ("live_queries" OR "/api/live_queries") AND ("permission denied" OR "authorization failed")